Thanks Lennart!  Proxy roles do sound like the answer, but I cannot
get them working.  When I restrict my private script so that only
Managers have View permissions and give my public script Manager proxy
roles, I am still prompted for a login box when I try to view the
public script.  When I cancel, I get the following error:

Error Type: Unauthorized
Error Value: You are not allowed to access 'meta_type' in this context

This is different from the standard "You are not authorized to access
this resource. No Authorization header found." error which I get when
I try to access the private script directly, but conveys little to me.
What does it mean and how do I fix it?

On 2/11/06, Lennart Regebro <[EMAIL PROTECTED]> wrote:
> On 2/11/06, Michael Shulman <[EMAIL PROTECTED]> wrote:
> > Is there a way in Zope to restrict permissions for direct access only
> > (i.e. calling an object through the web) but still allow indirect
> > access (i.e. executing an object that was called by another object
> > that was called through the web)?
> Yes. If that "other object" is disk-based python, it is most likely
> able to do it already. If it is a python-script, you can set it up to
> have a proxy role. That way your auxiliary scripts can all require
> manager roles, and you can give the scripts that need to call them the
> Manager proxy-role
> > Feel free to tell me that I am misunderstanding the way security
> > works, or is supposed to work, in Zope, or that if this is something I
> > need to do I am designing my site incorrectly from the point of view
> > of Zope security (and if so, what is the correct way to design it?).
> No you seem to have got it. Although the next time you do something
> that complex you might want to look into making a disk-based prodct
> instead. It's often easier for complex features.
> --
> Lennart Regebro, Nuxeo
> CPS Content Management
Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to